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FIREWALL ADAPTER FOR STANDARD 

COMMUNICATION SYSTEM AND M 

by Inventors 



Nenad Krtolica and 
Dalibor Kukoleca 

Ned - new stuff, questions and areas that need atteMion 
are underlined 





TECHNICAL FIELD 
This invention relates to routiikf voice/video/data 
communications through firewalls, an d\more_ particularly 
to such routing through selected tfl^Spp^Tports with 
minimal security risk. 



BACKGROUND 

PA slow net - UDP for w saves BW, drop OK 
separate on TCP 



data 



Heretofore, security firewalls interfered with 
smooth exchange of voice/video/data information over the 
internet . 

This difficulty can be overcome by temporarily reducing 
or removing firewall protection. 

Firewalls are established and maintained 

by residual software (and hardware) 
to prevent unauthorized 

entry into the host LAN (local area network) 
and unauthorized access to local 
hardware and software, and other resources. 

?local data? 




0 JJ O -H 



They are typically installed between the host system and 
the outside world, especially the internet. 

However, firewalls may also be intra-organizational 
(within a LAN) , 

between the protected host data and 

other departments of a host organization. 



f 5 « * 
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Without firewalls, casual hackers and other intruders may 
enter the host by various means including 

uncovering the password 

and logging-in as a legitimate user. 



40 



through Troian Horse tactics, 
employing e-mail techniques, 
open port 

and other low-level strategies 



/ 



Understandably, serious organizations are'reluc^ant to 
reduce firewall security. ' x x)'' ^ ^ 

An alternative to removing/firewall prot 
install costly, standard aware 





! ! name or type ! ! 

software and hardware, such as a pix firewall and router 

??from Iprominent supplier! Cisco??. 

T^SHQ^T DEFINITION OF STANDARD BASED lAWA^E ? 

Standard bksed! aware communication tools ar\ selected 

from a pool of commercially available, commonly n 
used, compatible software and hardware. \ l/ 



A typical user may have twenty or so 

of these standard based! aware client- 
residing locally on their system. 



(applications) 



Voice and video clients include programs based on H323, 
M(fcP, and SIP, and data transfer clients are generally 
\Tlfeo based. 



4 5 Standard aware programs recognize industry standard 
heather configurations within 



50 



?? the communication data packets. 

I does not need upgraded router or firewall 



Currently the four major standard configurations are 
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H323, MGCP, and SIP for vojste and video communications, 
and T12 0 for data transfer. 

Both parties need coprfpatible, 

standard aware ^equipment , which is typically 
complex, requiring an on-site, network security 
administrator to set-up and maintain. 

The firewall router may be located at any entry point 
into the protected LAN such as 

before first server, 

before the frontend router, or 

before the modem end router. 



The desired seamless communication requires multiple 
logical !FW ports in the firewall which are serially 
opened one at a time. 

Each data packet stream forming a communication crosses 
the firewall through a different port. 



For security reasons, 

each next -open-port in the series 

is selected at random from an 
available port population of 65 , 511 out of a 
total port population of 65 , 535 . 



SUMMARY 

It is therefore an object of this invention to 
provide a standard based! aware, firewall friendly 
communication system between a sending part y (s) and a 
receiving part y (s) . 

Each party's local system needs only I 
standard based, user friendly, off-the-shelf, * I" 
low priced hardware and software, p 7 

plus the present firewall adapter. ^ 

?? / 
The firewall adapter is standard based! aware computer 
program which permits multiplex tunneling at a^specified 
port . 



Both parties may already have the required standard based 
clients in their systems, and use them regularly for 
communication over the internet. 
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Neither party needs to install any new hardware or 
software or review any new operating manuals for 
firewalls or routers 

?? other than the present firewall adapter ^in^r3er^jfet5^! 

It is another object of this invention to provide 
such a standard based system in which the sending party's 
system need not be the same as the receiving party's 
system or even be compatible therewith. 

The present firewall adapter is "portable" having 
universal application with various operating systems such 
as ~" -— ~ ™' 

major commercial feature 

?? Windows and Linux, all flavors of Unix 



It is another object of this invention to pxpvide 
such a standard based system which maintains high v 
security by employing a single, pre-selected port 
customized set-up ^sonfigurat ion. 

\ 1) 

Port $80 is the-^ef auJ^t port which is open for 
busy - heavy ^traffic j) Y j^Jor LO-k 5'^^ 
open a non-default port exclusively for selected traffic 
employing a single custom set-up port. 



It is another object of this invention to provide 
such a standard ba^ed system which provides increased 
security by opening a private channel within a logical !FW 
port . 

coding and scrambling - hard to tap 




BRIEF DESCRIPTION OF THE DRAWING !S 

Further objects and advantages of the present 
standard based system and the firewall adapter will 
become apparent from the following detailed description 

Vivl2FW.Adp Krtolica-Kukoleca FW Adapter June 12, 2 002 



5 



and drawing Is in which: 

FIGURE 1 is a block diagram of communication system 
10 across internet ION in which sending party 10S has 
5 firewall 18S and receiving party 10R has firewall 18R. 

FIGURE 2 ? DO WE NEED MORE FIGURES ? 



10 REFERENCE NUMERALS IN DRAWINGS 

The table below lists the reference numerals 

employed in the figures, and identifies the element 
designated by each numeral. 

15 10 Standard Based Communication System 10 

ION Internet ION 

10R Receiving Party 10R 

10S Sending Party 10S 

12D Data Packets 12D 

2 0 14M Format Monitor 14M 

16R Packer Redirector 16R 

18F Security Firewall 18F 

18P Open Port 18P 



25 



STANDARD BASED SYSTEM (FIG. 1) 



DEFINE NET 

a wide area communication network such as the internet or 

3 0 a narrow area network such as a local area network (LAN) 

Standard based system 10 supports firewall friendly 
communication between sending station 10S and receiving 
station 10R across a communication network such as 
35 internet 10N. 

The sending and receiving parties may be 
individuals using simple PCs 

at a single work station, 

4 0 or large organizations using complex computers and 

machines . 

logical channel within port 
65k ports 

45 thousands of channels - limited by BW 

firewall 12S 12R 

prepares open channel both sides 

50 Each station has a standard based communication client 
I IS and //R 

?? 

netmeeting - vid voi data 
Vivl2FW.Adp Krtolica-Kukoleca FW Adapter June 12, 2002 



cucme 

intel phone - voi vid 
net to phone - voi 



Firewall adapters //S and //R are positioned between the 
communication client and the firewall. 



multi ports ? four or more to single multiplex port 
four people talking at once 
local ports 
firewall ports 
internet ports 
logical ports 
internal/external 

Sending data packet stream 12S from sending station 10S 

passes from the sending firewall adapter through the 
sending firewall, across internet //, through the 
receiving firewall 



The internet contains proxy server // for NAT (network 
address translations) 

LAN not regular IP address 
visible for outside 

private network address starting with 192 

problem with private address 

calling pc sees real router not private address 



multiports to one entry point 



? opens tunnel with many channels - one port 

many parallel connections - density and thru put 

F2 port tunneling for security 
? buried in 

tunneling works with all proxy systems 



METHOD OF FIREWALL FRIENDLY OPERATION 

The primary steps of the general method of standard 
based communication is described below. 

The apparatus employed in carrying out this method is 

Vivl2FW.Adp Krtolica-Kukoleca FW Adapter June 12, 2002 
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disclosed in FIG.s 1-?, and in the related detailed 
descriptions . 



5 Providing firewall 18F between sending party 10S and 

receiving party 10R. 

Firewalls are typically established when a new system 
comes on line, and are maintained continuously. 

10 

Opening at least one logical !FW port in the 
firewall. This open port may be port 8080 which is 
normally open for public interface. 

15 

Any other port may be employ as the open port . 

More than one port may be opened simultaneously to 
improve communication capacity. 

20 

However, minimizing the number of open ports reduced the 
security risk. 

25 



Monitoring traffic outside the firewall. Format 
monitor device 14M examines the format of each incoming 
3 0 data packet. 



Packets with expected formats are accepted, and packets 
with alien formats are discarded. 

35 

Generally, the accepted data packets have either of the 
following two major ITU (international telecommunication 
union) formats: 
40 T120 data format 

(white board applications, 
file transfers, etc.), 

or 

H3 23 data format 
45 (voice and video) . 

Each format has particular delivery and communication 
rules . 

50 ? heather front end - structure 
specified recipients 
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Redirecting accepted traffic to the open port in the 
firewall by means of packet redirector 16R. 



Tunnelling the redirect traffic through the firewall 
by pushing data packets through the open port. 

The tunnelling is bidirectional. The receiving party may 
transmit ! send communications to the sending party through 
the same open port in the firewall. 



The tunneled data packets are then played (voice) , 
displayed (video) , or processed (data) . 



The general method may have the following additional 
steps: 

Selecting another open port in the firewall. 
Logical port 8080 is the default port in many systems. 

Overuse of port 8080 may crowd the traffic and load the 
port bandwidth limitations. 



? roll-off - loss of data ? 



The parties may select another port which has less 
traffic. 

This selection may be executed automatically by the host 
system as traffic density approaches a specified load. 



CONSUMER PARTY LINE 

The present standard based system may provide 
internet communication between individual PCs (or groups 
of PCs) 

? YOU GUYS CAN TALK BE THROUGH THIS SERVICE ? 

consumer party line 
9 . 95/mo 

piece of a web page 
from outlook 



CORPORATE CONFERENCE CALL 
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The present standard based system may also provide 
internet conference communication within an organization. 

? YOU £UYS CAN TALK BE THROUGH THIS SERVICE ? 

corporate conference call 
air conference sw 
company directory 

IP call center router 

Nenad 650 964 5006 105 

These are our claims in nearly final form 

plus rough drawings . 
We are about half finished 
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OUTLINE OP CLAIMS 

1) Method 

Sending/Receiving Units/Systems 
Communication Network 
Firewall - local client ports 
Standard Aware - in/out information 

STEPS 

Providing Firewall Adapter 
Determining S/R Adapter Port 
Establishing Communication 
Multiplexing outgoing 
Sending 
Receiving 

DeMultiplexing incoming 
STANDARD BASED 

fx** 2) Standard Aware is Standard Based 
FIREWALLS 

fx** 3) One Firewall 
fx** 4) Two Firewalls S/R 

COMMUNICATION NETWORK 

fx** 5) Network Protocol 
★ 

fx * ** 6) TCP 

fx * * ** 7) Voice Video 
★ 

fx * ** 8) Internet 

fx * ** 9) WAN 

fx * ** 10) LAN 



PORT DETERMINATION 
fx** 11) Select Port 



fx** 16) S/R same determined port 



r 



03 
O 

fx** 12) Range of Ports ho 

\o ? 

fx** 13) PreDetermined . . «> ^ 

* ^ m 

fx * ** 14) Default Port 3-h 

* .H 

fx * ** 15) HTTP Port w ° c5 

' « A 
CO 

W W 
U 0) 

H 4-> O 



CHANNEL 

fx** 17) Open Channel £ g 

PROXY ' g ^ 

fx** 18) proxy 
★ 

fx * ** xg) Translating | 
Vivl2FW.Adp Krtolica-Kuloleca Claim Outline July 21, 2003 



